Search in sources :

Example 11 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project nifi by apache.

the class RangerNiFiAuthorizer method auditAccessAttempt.

@Override
public void auditAccessAttempt(final AuthorizationRequest request, final AuthorizationResult result) {
    final RangerAccessResult rangerResult;
    synchronized (resultLookup) {
        rangerResult = resultLookup.remove(request);
    }
    if (rangerResult != null && rangerResult.getIsAudited()) {
        AuthzAuditEvent event = defaultAuditHandler.getAuthzEvents(rangerResult);
        // update the event with the originally requested resource
        event.setResourceType(RANGER_NIFI_RESOURCE_NAME);
        event.setResourcePath(request.getRequestedResource().getIdentifier());
        defaultAuditHandler.logAuthzAudit(event);
    }
}
Also used : AuthzAuditEvent(org.apache.ranger.audit.model.AuthzAuditEvent) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Example 12 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerAtlasAuthorizer method checkAccess.

private boolean checkAccess(RangerAccessRequestImpl request) {
    boolean ret = false;
    RangerBasePlugin plugin = atlasPlugin;
    if (plugin != null) {
        RangerAccessResult result = plugin.isAccessAllowed(request);
        ret = result != null && result.getIsAllowed();
    } else {
        LOG.warn("RangerAtlasPlugin not initialized. Access blocked!!!");
    }
    return ret;
}
Also used : RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) RangerBasePlugin(org.apache.ranger.plugin.service.RangerBasePlugin)

Example 13 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerKafkaAuthorizer method authorize.

@Override
public boolean authorize(Session session, Operation operation, Resource resource) {
    if (rangerPlugin == null) {
        MiscUtil.logErrorMessageByInterval(logger, "Authorizer is still not initialized");
        return false;
    }
    // TODO: If resource type is consumer group, then allow it by default
    if (resource.resourceType().equals(Group$.MODULE$)) {
        if (logger.isDebugEnabled()) {
            logger.debug("If resource type is consumer group, then we allow it by default!  Returning true");
        }
        return true;
    }
    RangerPerfTracer perf = null;
    if (RangerPerfTracer.isPerfTraceEnabled(PERF_KAFKAAUTH_REQUEST_LOG)) {
        perf = RangerPerfTracer.getPerfTracer(PERF_KAFKAAUTH_REQUEST_LOG, "RangerKafkaAuthorizer.authorize(resource=" + resource + ")");
    }
    String userName = null;
    if (session.principal() != null) {
        userName = session.principal().getName();
    }
    java.util.Set<String> userGroups = MiscUtil.getGroupsForRequestUser(userName);
    String ip = session.clientAddress().getHostAddress();
    // skip leading slash
    if (StringUtils.isNotEmpty(ip) && ip.charAt(0) == '/') {
        ip = ip.substring(1);
    }
    Date eventTime = new Date();
    String accessType = mapToRangerAccessType(operation);
    boolean validationFailed = false;
    String validationStr = "";
    if (accessType == null) {
        if (MiscUtil.logErrorMessageByInterval(logger, "Unsupported access type. operation=" + operation)) {
            logger.fatal("Unsupported access type. session=" + session + ", operation=" + operation + ", resource=" + resource);
        }
        validationFailed = true;
        validationStr += "Unsupported access type. operation=" + operation;
    }
    String action = accessType;
    String clusterName = rangerPlugin.getClusterName();
    RangerAccessRequestImpl rangerRequest = new RangerAccessRequestImpl();
    rangerRequest.setUser(userName);
    rangerRequest.setUserGroups(userGroups);
    rangerRequest.setClientIPAddress(ip);
    rangerRequest.setAccessTime(eventTime);
    RangerAccessResourceImpl rangerResource = new RangerAccessResourceImpl();
    rangerRequest.setResource(rangerResource);
    rangerRequest.setAccessType(accessType);
    rangerRequest.setAction(action);
    rangerRequest.setRequestData(resource.name());
    rangerRequest.setClusterName(clusterName);
    if (resource.resourceType().equals(Topic$.MODULE$)) {
        rangerResource.setValue(KEY_TOPIC, resource.name());
    } else if (resource.resourceType().equals(Cluster$.MODULE$)) {
    // NOPMD
    // CLUSTER should go as null
    // rangerResource.setValue(KEY_CLUSTER, resource.name());
    } else if (resource.resourceType().equals(Group$.MODULE$)) {
        rangerResource.setValue(KEY_CONSUMER_GROUP, resource.name());
    } else {
        logger.fatal("Unsupported resourceType=" + resource.resourceType());
        validationFailed = true;
    }
    boolean returnValue = false;
    if (validationFailed) {
        MiscUtil.logErrorMessageByInterval(logger, validationStr + ", request=" + rangerRequest);
    } else {
        try {
            RangerAccessResult result = rangerPlugin.isAccessAllowed(rangerRequest);
            if (result == null) {
                logger.error("Ranger Plugin returned null. Returning false");
            } else {
                returnValue = result.getIsAllowed();
            }
        } catch (Throwable t) {
            logger.error("Error while calling isAccessAllowed(). request=" + rangerRequest, t);
        }
    }
    RangerPerfTracer.log(perf);
    if (logger.isDebugEnabled()) {
        logger.debug("rangerRequest=" + rangerRequest + ", return=" + returnValue);
    }
    return returnValue;
}
Also used : RangerAccessRequestImpl(org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl) RangerAccessResourceImpl(org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl) RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult) Date(java.util.Date)

Example 14 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerKylinAccessRequest method checkPermission.

@Override
public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid, Permission permission) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerKylinAuthorizer.checkPermission( user=" + user + ", groups=" + groups + ", entityType=" + entityType + ", entityUuid=" + entityUuid + ", permission=" + permission + ")");
    }
    boolean ret = false;
    if (kylinPlugin != null) {
        String projectName = null;
        KylinConfig kylinConfig = KylinConfig.getInstanceFromEnv();
        if (AclEntityType.PROJECT_INSTANCE.equals(entityType)) {
            ProjectInstance projectInstance = ProjectManager.getInstance(kylinConfig).getPrjByUuid(entityUuid);
            if (projectInstance != null) {
                projectName = projectInstance.getName();
            } else {
                if (LOG.isWarnEnabled()) {
                    LOG.warn("Could not find kylin project for given uuid=" + entityUuid);
                }
            }
        }
        String accessType = ExternalAclProvider.transformPermission(permission);
        String clusterName = kylinPlugin.getClusterName();
        RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType, clusterName, clientIPAddress);
        RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
        if (result != null && result.getIsAllowed()) {
            ret = true;
        }
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerKylinAuthorizer.checkPermission(): result=" + ret);
    }
    return ret;
}
Also used : KylinConfig(org.apache.kylin.common.KylinConfig) ProjectInstance(org.apache.kylin.metadata.project.ProjectInstance) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Example 15 with RangerAccessResult

use of org.apache.ranger.plugin.policyengine.RangerAccessResult in project ranger by apache.

the class RangerYarnAuditHandler method checkPermission.

@Override
public boolean checkPermission(AccessType accessType, PrivilegedEntity entity, UserGroupInformation ugi) {
    if (LOG.isDebugEnabled()) {
        LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + ")");
    }
    boolean ret = false;
    RangerYarnPlugin plugin = yarnPlugin;
    RangerYarnAuditHandler auditHandler = null;
    RangerAccessResult result = null;
    String clusterName = yarnPlugin.getClusterName();
    RangerPerfTracer perf = null;
    RangerPerfTracer yarnAclPerf = null;
    if (plugin != null) {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
            perf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + entity + ")");
        }
        RangerYarnAccessRequest request = new RangerYarnAccessRequest(entity, getRangerAccessType(accessType), accessType.name(), ugi, clusterName);
        auditHandler = new RangerYarnAuditHandler();
        result = plugin.isAccessAllowed(request, auditHandler);
    }
    if (RangerYarnAuthorizer.yarnAuthEnabled && (result == null || !result.getIsAccessDetermined())) {
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
            yarnAclPerf = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnNativeAuthorizer.isAllowedByYarnAcl(entity=" + entity + ")");
        }
        ret = isAllowedByYarnAcl(accessType, entity, ugi, auditHandler);
    } else {
        ret = result != null && result.getIsAllowed();
    }
    if (auditHandler != null) {
        auditHandler.flushAudit();
    }
    RangerPerfTracer.log(yarnAclPerf);
    RangerPerfTracer.log(perf);
    if (LOG.isDebugEnabled()) {
        LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(entity) + ", " + ugi + "): " + ret);
    }
    return ret;
}
Also used : RangerPerfTracer(org.apache.ranger.plugin.util.RangerPerfTracer) RangerAccessResult(org.apache.ranger.plugin.policyengine.RangerAccessResult)

Aggregations

RangerAccessResult (org.apache.ranger.plugin.policyengine.RangerAccessResult)20 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)6 RangerPerfTracer (org.apache.ranger.plugin.util.RangerPerfTracer)6 RangerAccessRequest (org.apache.ranger.plugin.policyengine.RangerAccessRequest)5 HiveAuthzSessionContext (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext)4 RangerAccessRequestImpl (org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl)4 RangerAccessResourceImpl (org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl)4 Principal (java.security.Principal)2 Date (java.util.Date)2 SemanticException (org.apache.hadoop.hive.ql.parse.SemanticException)2 HivePrivilegeObject (org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject)2 AuthzAuditEvent (org.apache.ranger.audit.model.AuthzAuditEvent)2 RangerBasePlugin (org.apache.ranger.plugin.service.RangerBasePlugin)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 Subject (javax.security.auth.Subject)1 IAE (org.apache.druid.java.util.common.IAE)1 Access (org.apache.druid.server.security.Access)1 FsAction (org.apache.hadoop.fs.permission.FsAction)1 HiveAccessControlException (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException)1